NSA: We Touch Only 1.6% Of Internet Traffic

Intelligence agency releases new details about the scope and scale of its digital dragnet.

How much Internet traffic is being actively intercepted and reviewed by the National Security Agency (NSA)?

According to newly released details from the NSA, of the estimated 1,826 petabytes of data that flow across the Internet daily, the agency in its foreign intelligence mission touches about 1.6% of that. That was the claim made in a seven-page PDF released Saturday on the NSA's website, which was released to communicate in greater detail the scope and scale of NSA collection, as well as legal basis for that surveillance.

According to the document, the NSA studies only a fraction of the data it intercepts. Notably, of the 1.6% of Internet traffic the NSA touches daily, the agency actively reviews only 0.025%, or about 7,250 GB. "Put another way, if a standard basketball court represented the global communications environment, NSA's total collection would be represented by an area smaller than a dime on that basketball court," the document states.

The newly published overview -- which is "aimed at providing a succinct description of NSA's mission, authorities, oversight and partnerships" -- disclosed that it works with a number of overseas organizations to provide signals intelligence pertaining to terrorists, online attackers and other enemies of the state. "NSA partners with well over 30 different nations in order to conduct its foreign intelligence mission," reads the document. "In every case, NSA does not and will not use a relationship with a foreign intelligence service to ask that service to do what NSA is itself prohibited by law from doing."

The document also confirms that the agency runs a number of surveillance programs that involve "[compelling] one or more providers to assist NSA with the collection of information responsive to the foreign intelligence need." Some related, recently outed programs go by cover names such as Blarney, Fairview, Lithium and Oakstar. The agency said those aren't standalone efforts, however, but rather part of a higher-level effort to obtain desired intelligence.

Other efforts, as already revealed publicly, extend to telecommunications providers. On that front, NSA offered additional details pertaining to its Business Records Foreign Intelligence Service Act (FISA) program (a.k.a. BR FISA), through which "specified U.S. telecommunications providers are compelled by court order to provide NSA with information about telephone calls to, from, or within the U.S." The document continues, "The information is known as metadata, and consists of information such as the called and calling telephone numbers and the date, time, and duration of the call -- but no user identification, content, or cell site locational data." It noted that BR FISA has been reauthorized four times by Congress since being launched in 2006.

But have the surveillance programs -- and potential privacy tradeoffs -- been worth it? Gen. Keith Alexander, who leads the NSA, said in a keynote speech at this year's Black Hat information security conference in Las Vegas that 54 terrorist-related activities -- 13 of them in the United States -- had been thwarted thanks to the NSA's surveillance programs. Building on that statement, the newly published NSA document said that of the 13 domestic activities, BR FISA played a role in 12.

The release of new details pertaining to the NSA's surveillance efforts came just one day after President Obama called on Congress to reform the Patriot Act and Foreign Intelligence Surveillance Court authorized by FISA. In a press conference, he also recommended adding greater oversight of and transparency into the NSA's intelligence collection efforts, directed the NSA to add its first-ever Civil Liberties and Privacy Officer, and called on a group of outside experts to study the NSA's current surveillance technology and detail the security, privacy and foreign policy implications related to their use.

Also Friday, the White House released a 22-page white paper arguing that the government has broad latitude when it comes to collecting telephone metadata. But it also noted that the surveillance programs authorized by FISA and the Patriot Act can legally be used only for counterterrorism purposes, and said the programs the surveillance effort "includes internal oversight mechanism to prevent misuse."

In response to Obama's call for the NSA's surveillance programs to be reformed, WikiLeaks chief Julian Assange issued a
statement saying the move vindicated the role of former NSA contractor Edward Snowden's whistle blowing. "But rather than thank Edward Snowden, the President laughably attempted to criticize him while claiming that there was a plan all along, 'before Edward Snowden,'" said Assange. "The simple fact is that without Snowden's disclosures, no one would know about the programs and no reforms could take place."

Regardless, President Obama's proposed reforms may face an uphill battle. Notably, House Homeland Security Committee Chairman Michael McCaul (R-Tex.), who formerly dealt with the FISC while working as a counterterrorism prosecutor, warned Sunday on NBC that Obama's proposals could "slow down the efficacy and efficiency of our counterterrorism investigation."

Meanwhile, Sen. Ron Wydon (D-Ore.), who wants to see the domestic telephone metadata interception program shuttered, said the proposals didn't go far enough. "Notably absent from President Obama's speech was any mention of closing the backdoor searches loophole that potentially allows for the warrantless searches of Americans' phone calls and emails under section 702 of the Foreign Intelligence Surveillance Act," he said in a statement. "I believe that this provision requires significant reforms as well and I will continue to fight to close that loophole."

NSA is looking at a dime-sized amount of information on a basketball court. I like that metaphor. But it matters more than a dime to me whether I'm included in that speck. We need judicial oversight of this process, not the security agencies being a rule onto themselves.

This is a slippery slope, both in the US and in every other country in the world. I've always believed that people should expect whatever they put online to be seen by others, no matter what privacy protections they take. That's not a good thing; it's just a reality. I'm wary that governments are actively spying, but isn't that what Google and Facebook do, too? Will we see a day when governments pay private tech companies for that service? In the US, we have come to expect that sort of activity to be controlled by court-ordered warrants issued in secret, and the security court allowed this under that standard. In other countries, the order may simply come from the military or the government. Eventually, we'll all be in some government's file for what we say. I may be in there now just for this post. That's nothing short of creepy.

Hey NSA, you've been so much more than kind. You can keep the dime. But only if you throw the rest away. Except, we all know you're not going to do that. You're going to keep it for whenever you feel like looking at it. That's the problem. I agree with AbneyW074, it's a shame, but we need more new products like Cloudlocker, TOR, Startpage, etc, to give NSA as small a target as possible.

Years ago, talking about email encryption services like TOR or personal cloud devices that you keep in your home like CloudLocker would have made you seem incredibly paranoid. Not so anymore. In fact, I expect the market for products that protect personal privacy to grow by leaps and bounds. It's really a shame.

Published: 2015-03-03Off-by-one error in the ecryptfs_decode_from_filename function in fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux kernel before 3.18.2 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted filename.

Published: 2015-03-03** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue in customer-controlled software. Notes: none.

How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.